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SUMMARY 

An Advanced sensor failure Detection, Isolation, and Accommodation (ADIA) 
algorithm has been developed for use with an aircraft turbofan engine control 
system. In a previous paper the authors described the ADIA algorithm and Its 
real-time Implementation. This paper discusses subsequent Improvements made 
to the algorithm and Implementation, and presents the results of an 
evaluation. The evaluation used a real-time, hybrid computer simulation of an 
F100 turbofan engine. 


INTRODUCTION 

The ADIA program (ref. 1) Is an effort to Improve the overall demonstrated 
reliability of digital electronic control systems for aircraft turbine engines 
by detecting sensor failures using analytical redundancy. Various redundancy 
management techniques have been applied to both the total control system and 
to Individual components. The least reliable of the control system components 
are the engine sensors. Typically, sensor redundancy Is required to achieve 
adequate control system reliability. The ADIA approach uses analytical redun- 
dancy to achieve reliability. 

Analytical redundancy uses a reference model of the engine and redundant 
Information from dissimilar sensors to provide an estimate of a measured vari- 
able. How the estimates and measurements are used to detect failures Is one 
way to differentiate the various analytical redundancy approaches. The ADIA 
algorithm Is based upon hypothesis testing of Kalman filter generated residuals. 
Considerable work has been accomplished In the application of analytical 
redundancy to Improve turbine engine control system reliability. These accom- 
plishments are surveyed In reference 2. 

The ADIA program has been organized Into four phases: development. 

Implementation, evaluation, and demonstration. Reference 1 describes the 
development and Implementation phases. This paper describes additional devel- 
opment and Implementation details as well as giving the significant real-time 
hybrid computer evaluation results. The ADIA algorithm will be demonstrated on 
an F100 engine at the NASA Lewis Research Center altitude test facility during 
the last half of 1986. The paper will briefly describe the ADIA algorithm and 
the simplified engine model used In the algorithm. Also Included Is a descrip- 
tion of the hardware and software used to Implement the algorithm. Finally, 
results are presented. These Include simplified model accuracy and ADIA per- 
formance for hard and soft failures. 



ALGORITHM DEVELOPMENT 


The ADIA algorithm detects, Isolates, and accommodates sensor failures In 
turbofan engine control systems. The ADIA algorithm was originally developed 
for Lewis under contract (ref. 3). The algorithm Incorporates advanced filter- 
ing and detection logic and Is general enough to be applied to different 
engines or other types of control systems. A specific version of the ADIA 
algorithm was designed for the F100 engine and F100 Multivariable Control. 

This combination of engine, control, and ADIA algorithm comprises the F100 
testbed system shown In figure 1. 

The ADIA algorithm consists of three elements: (1) hard failure detection 

and Isolation logic, (2) soft failure detection and Isolation logic, and (3) 
an accommodation filter. These are shown as part of the testbed system In 
figure 1. The algorithm detects two classes of sensor failures, hard and soft. 
Hard failures are out-of-range or large bias errors that occur Instantaneously 
In the sensed values. Soft failures are small bias errors or drift errors 
that accumulate relatively slowly with time. 

The algorithm Inputs are the measured engine Inputs, u m (t), (fuel flow, 
no//_le area, compressor Inlet guide vane angle, rear compressor variable vane 
angle, and bleed flow) and the measured engine outputs, z m (t) (fan speed, 
compressor speed, burner pressure, augment-or pressure, and fan turbine Inlet 
temperature). The algorithm outputs, z(t), are optimal estimates of the engine 
outputs, z(t). 

The hard failure detection logic uses residuals generated by the accom- 
modation filter to detect and Isolate hard failure. The soft failure logic 
uses six hypothesis filters (one normal mode and five failure modes) to detect 
and Isolate soft failures. Implicit In the soft failure Isolation logic and 
the accommodation filter Is a simplified engine model. The algorithm Imple- 
mentation and hybrid evaluation phases of the program have resulted In several 
Improvements to both the structure and operation of the algorithm. 

The most significant Improvement has been the removal of the sequential 
structure of the soft detection and soft Isolation logic. Originally, the 
philosophy of the algorithm was to detect the presence of a soft failure with 
a Weighted Sum of Squared Residuals (WSSR) statistic. Once a failure had been 
detected, then an hypothesis-based bank- of- f 1 1 ters approach was used to Isolate 
the faulty component. Since soft failures are uncommon events and since the 
hypothesis-based logic takes a significant computational capability, the orig- 
inal Implementation approach was to calculate the WSSR statistic each update 
cycle and only calculate the Isolation logic when required. This forces a 
higher computational load and thus a longer update Interval only during soft 
Isolation. However, the three computer, parallel processing architecture, 
with which the ADIA algorithm has been Implemented, has sufficient processing 
power to calculate the complete algorithm Including the soft Isolation logic 
during each update Interval. With this Implementation, described In the next 
section, the update Interval does not change during soft Isolation. Also, 
since the hypothesis filters are continuously tracking, the effect of sensor 
failures begins to accrue from the time of the failure, not. after soft detec- 
tion has occurred. Initial studies with this new configuration showed the 
Isolation logic to be more sensitive to failures than the soft detection logic. 
In«effect, failures were being Isolated before they were being detected. This 
clearly removed the requirement for the WSSR statistic and It was removed from 
the algorithm. 
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Another Improvement to the algorithm was the Incorporation of Integral 
action in the Kalman filter to Improve the steady state accuracy of the Fan 
Turbine Inlet Temperature (FTIT) estimate. One Important engine control mode 
Is the limiting of FTIT at high power operation. Because the FTIT sensor Is 
relatively slow, control action Is based upon the dynamically faster FTIT 
estimate. Because the FTIT limiting control has Integral action, a high degree 
of steady-state accuracy In the FTll estimate Is required to ensure satis- 
factory control. This accuracy is accomplished by augmenting the seven algor 
Ithm filters (one for the accommodation filter and six for the hypothesis 
filters) with the following additional state equation. 

b = K&*y 
F fil = z 5 f b 

where K& is a gain matrix, b Is the temperature bias, 25 Is the unbiased 
temperature estimate, and y Is the vector of residuals from the accommodation 
filter. The addition of these dynamics, while Improving FTIT estimation 
accuracy, results In a larger minimum detectable FTIT drift failure rate. 

Finally, the soft failure detection/isolation threshold was modified. 
Originally, thresholds were determined by noise statistics and then modified to 
accommodate modeling error effects. It was soon apparent from Initial evalua 
tiori studies that transient modeling error was dominant In determining the 
fixed threshold levels. It was also clear that this threshold was too large 
for desirable steady-state operation. Thus, an adaptive threshold was Incor- 
porated. The adaptive threshold Is triggered by an Internal control system 
variable, Mt ran , which Is Indicative of transient operation. When the engine 
experiences a transient Mt ran Is set to 4.5, otherwise It Is 0. This variable 
Is used as follows to modify the Isolation threshold Xj, as follows. 

M = MSS * (MXP + l) 

•t * X tx p f X EXP = M tran 

where Xjss is the steady-state detectlon/lsolatlon threshold and t = 2 sec. 
The values of Xx$s> t and Mt ran were found by experimentation to minimize 
false alarms during transients. The adaptive threshold expansion logic enabled 
Xiss to be reduced to 40 percent of Its original value. 

These three Improvements represent the major changes to the AD1A algo- 
rithm. The next section describes how the modified algorithm was Implemented 
Into commercially available, microprocessor based, hardware and software. 


A01A IMPLEMENTATION 

The hardware Implementation of the ADIA algorithm requires the Integration 
of the algorithm with the F100 Multivariable Control (MVC) (ref. 4). The F100 
MVC had been Implemented on an 8086 microcomputer (ref. 5). The AOIA was 
merged with this MVC Implementation to give a full microcomputer Implementation 
of the control algorithm with sensor analytical redundancy. The F100 engine 
system dynamics require a combined MVC and ADIA update Interval of 40 msec or 
less . 
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A microcomputer system for real-time controls research has been designed 
and fabricated at Lewis (ref. 6). The controls microcomputer within the system 
Is based on the Intel 8086 microprocessor architecture. In order to Implement 
the combined MVC/ADIA and satisfy the update Interval requirement of 40 msec, 
a second 8086 based CPU was added to the controls microcomputer (ref. 1). This 
second CPU runs In parallel with the first. Data Is transferred between CPU's 
through dual-ported memory and synchronization between CPU's was achieved 
through Interrupts. Initially, only the normal-mode accommodation filter and 
the hard detect logic from the ADIA were Implemented. This allowed a straight- 
forward evaluation of the parallel processing mechanism. It was assumed that 
the soft failure detection and Isolation logic could be added to the second 
CPU at a later date. 

During algorithm development, the soft failure Isolation logic was only 
run after a soft failure was detected by the soft failure detect logic. Due to 
the complexity of the soft failure Isolation logic and since It was felt there 
might be some benefit to running the soft Isolation logic In parallel with the 
soft detect logic, a third CPU was added to Implement the soft Isolation logic. 
Data transfers and synchronization were accomplished In the same manner as with 
the two-CPU Implementation. Most recently, the 8086 based CPU's were replaced 
with 80186 based CPU's. The new CPU's are software compatible with the old 
CPUs, but are considerably faster. The relative timing for the three CPU's Is 
shown In figure 2. 

As shown In the figure, the different parts of the combined MVC/ADIA algo- 
rithm are divided among the three CPU's. The MVC Is Implemented In fixed point 
assembly language on CPU number 1. At the time the MVC was originally Imple- 
mented on a microcomputer, It was felt that assembly language programming using 
fixed point arithmetic was necessary to achieve real-time execution of the 
algorithm. With the availability of the 8087 floating point coprocessor for 
the 8086 came the capability of Implementing real time controls In floating 
point arithmetic. The majority of the ADIA algorithm running on CPU's numbers 
2 and 3 Is Implemented using floating point arithmetic and the application 
oriented language FORTRAN. F0R1RAN was chosen because the ADIA was originally 
coded In FORTRAN, and because a fairly good compiler was available for the 
8086-8087. 

The advantages of using an application language rather than assembly lan- 
guage Include higher programmer productivity, increased readability, and easier 
maintenance. The primary disadvantage Is that It generally produces less effi- 
cient object code than the equivalent assembly language. 

Execution efficiency Is critical for real-time controls. So, for the 
ADIA, table lookup routines (ref. 7), which are executed frequently In the 
algorithm, and the hardware Interface routines which have no FORTRAN equiva- 
lents, are Implemented In assembly language. To allow the remainder of the 
algorithm to remain In FORTRAN, the source code has been optimized to make It 
run more efficiently (ref. 8). As shown In figure 2, the entire MVC/ADIA 
algorithm now executes In less than 40 msec. 

The programs for each of the CPU's are downloaded Into the CPU's using a 
commercially available disk operating system, CP/M-86. The Microcontroller 
Interactive Data System (MINDS) Is used for data acquisition (ref. 9). This 
software package runs on CPU number 1 In the spare time that the CPU Is not 
executing the MVC algorithm (fig. 2). The package has both steady-state and 
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transient data-taklng capabilities and can access any variable In the MVC or 
AD1A algorithms. The data taken can be uplinked to a mainframe computer for 
off-line processing. In addition, the software has been enhanced to allow 
plotting of transient data on-line while the control microcomputer Is operating 
(ref. 10). The on-line transient data display of Internal MVC and ADIA vari- 
ables was an Indispensable tool In the evaluation process. 


ALGORITHM EVALUATION 

This section describes the test setup used In the evaluation of the algo- 
rithm and gives the more significant results. These Include the accuracy of 
the estimates generated by the simplified engine model and the simulated 
detectlon/lsolatlon/accommodatlon performance of the algorithm. 


Test Setup 

The algorithm was evaluated using a real-time hybrid computer simulation 
of the F100 engine. The testbed system consists of the hybrid computer simu- 
lation of the engine, the microprocessor based control computer and Its Inter 
face and monitor (CIM) unit, the Sensor Failure Simulator (SFS) unit, and a 
data handling utility. 

The F100 engine hybrid simulation Is a nonlinear, real-time, 32nd order 
model that Includes sensor and actuator dynamics. Differential equations are 
solved on the analog portion of the hybrid. Component performance Information 
Is stored In the digital computer with Interpolation and table lookup functions 
being handled by digital software. A complete description of the simulation 
and Its accuracy performance Is given In reference 11. 

The Control, Interface, and Monitoring (CIM) unit (ref. 6) contains the 
microcomputer described In the Implementation section. In addition. It con- 
tains hardware and cabling to allow the microcomputer to Interface to the 
engine or simulation of the engine being controlled. Lastly, a monitoring 
system Is contained In the CIM unit which allows the signals between the micro- 
computer and controlled engine to be checked for correctness. 

lhe SFS unit consists of a personal computer driving discrete analog hard- 
ware. The SFS can simulate any preprogrammed sensor failure consisting of four 
basic types: a scale factor change, a bias, a drift, and noise. The SFS 

allows complete and repeatable control over the failure size and timing. 

Details of the SFS are given In reference 12. 

Data handling Is accomplished through the MINDS utility program. This 
program Is described In the Implementation section. 


Estimate Accuracy 

The single most Important element In determining ADIA algorithm perform- 
ance Is the accuracy of the engine output estimates used In the algorithm. 
These estimates are determined using a Kalman filter which Incorporates a 
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simplified engine model. The accuracy of the output estimates for both steady- 
state and transient operation was evaluated at various engine operating points. 
An engine operating point Is defined by the pilot's power request (Power Lever 
Angle, PLA), and the altitude (ALT) and Mach number (MN) at which the engine 
Is operating. 

Steady-state accuracy was obtained In a straightforward manner. The slmu 
latlon was "flown" to the desired operating point and allowed to reach steady- 
state. Then control execution was halted (or frozen). MINDS was then used to 
sample and store a set of steady-state data. Comparisons of measured and 
estimated variables for six operating points are given In table I. Table I 
shows the difference (the residual) between sensed and estimated fan speed, N1 , 
compressor speed, N2, burner pressure, PT4 , exhaust nozzle pressure, PT6 , and 
fan turbine Inlet temperature, FTIT as a percent of nominal value. From these 
comparisons It Is clear that the estimates exhibit excellent steady state 
accuracy (except for PT4 at the 55K point). 

Transient accuracy data was obtained In the following manner. Again the 
simulation was flown to the desired operating point and allowed to reach 
steady-state. An idle-to-lntermedlate-power PLA pulse transient was then slmu 
lated (fig. 3) at three different operating conditions. MINDS was used to 
sample and store data throughout the transient. An example plot of sensed and 
estimated fan speed and Its residual, as well as the hypothesis statistic for 
fan speed are presented In figures 4 to 6. The residual Is the difference 
between the sensed and estimated variables. The hypothesis statistic, H^, 

Is found from 


H 1 = yJWy 0 - y}WYi 

and yi Is the residual vector from the 1th hypothesis filter and yO Is from 
the accommodation filter, and W is a normalizing matrix. Trajectories in 
figures 4 to 6 give the reader a "feel" for the summarized results of tables II 
to V. Figure 6 also shows the threshold Xj, as produced by the adaptive 
threshold logic. In table 11 the maximum value of the residuals obtained In 
response to the reference transient Is given for each output at each of the 
three operating points. In table III the average absolute values of the resid- 
uals are given. Since detection performance Is determined by the hypothesis 
statistics, estimate accuracy. Interpreted In terms of these statistics. Is 
critical to understanding algorithm performance. The maximum hypothesis values 
and the average hypothesis values are given In tables IV and V, respectively, 
to summarize transient accuracy for the reference trajectories. Plots of the 
hypothesis statistics became the standard tool used by the authors for evalua- 
tion and performance prediction. Overall, transient accuracy was considered 
to be quite good although not as good as steady- state accuracy. It was fairly 
evident then, that detection performance could be greatly improved If different 
thresholds for steady-state and transient detection were allowed. This obser- 
vation led Immediately to the Implementation of the adaptive threshold logic 
described previously. 
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Detection/Accommodation Performance 


Two types of failure were considered, hard and soft. Hard failures are 
defined to be large magnitude, perhaps out-of-range, failures. Because of 
their size, they are easily detected. Thus, hard failure detection performance, 
although Important to system reliability. Is not examined here. The AD1A algo- 
rithm exhibits excellent hard detection performance. Soft failures are defined 
to be small magnitude. In range failures that may accrue over time. Although 
small In magnitude, these failures, If undetected, may result In degraded or 
unsafe engine operation. Soft failures are more difficult to detect, and 
therefore we concentrate on soft failure performance. Two soft failure modes 
were considered, biases and drifts. Failures due to noise changes are not 
considered. Performance criteria studied were minimum detectable bias values 
and drift rates, detection time, steady-state performance degradation, and 
transient response to failure accommodation. 

The procedure followed to obtain performance data was Identical to that 
used to obtain transient accuracy data. Additionally, the SFS was used to 
Inject a sensor failure of the appropriate size and at the desired time. The 
results obtained are summarized In table VI for minimum detectable biases and 
In table Vll for drifts. In table VI the minimum detectable biases at six 
different operating points for each engine output are given. Detection times 
for these biases were essentially Instantaneous. In table VII the minimum 
detectable drift rates are given. These rates were determined by adjusting the 
drift magnitude such that a failure was detected 5 sec after failure Inception. 
Typical transient responses are given In figures 7 and 8. Since these are 
nominally steady-state responses, the hypothesis statistic Is at Its steady- 
state value. These responses show acceptable failure transient performance 
with little or no loss In steady-state performance. 


CONCLUSIONS 

An advanced sensor failure detection, isolation, and accommodation algo- 
rithm has been developed, Implemented, and evaluated. The development Included 
an adaptive failure detection threshold. Ihe algorithm was Implemented using 
a three-microprocessor, parallel architecture. The evaluation used a real-time 
hybrid computer simulation of an advanced turbofan engine. Estimate accuracy 
performance was excellent. Minimum detectable levels of bias and drift type 
failures were determined at seven operating points for all five sensed outputs. 
These minimum failure levels represent excellent algorithm detection and accom- 
modation performance. This algorithm performs quite well In the real-time 
environment and Is ready for a full scale engine demonstration. Such an engine 
demonstration is currently planned for July 1986. 
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TABLE I. - STEADY-STATE ESTIMATION ACCURACY RESULTS 
(PERCENT OF NOMINAL), NO SENSOR FAILURES 


Operating point 

Estimation error, percent of nominal 

Altitude, 

ft 

Mach 

number 

PLA, 

deg 

N1 

N2 

PT4 

PT6 

FTIT 

10K 

0.6 

83 

0.43 


-3.16 

-0.53 

0.11 

10K 

.9 

50 

-.06 


-.21 

1.53 

.11 


.9 

83 

.42 


-1.36 

-.69 

.04 

45K 

.9 

60 

-.12 


-1.87 

-1.45 

.04 


1.2 

83 

.17 

.11 

-1.36 

.33 

.11 

55K 

2.2 

83 

-.33 

.54 

5.64 

-2.48 



TABLE II. - MAXIMUM RESIDUAL VALUE (PERCENT OF 
NOMINAL) IN RESPONSE TO PLA PULSE INPUT, 

NO SENSOR FAILURES 


Operating 

point 

Estimation error, percent of nominal 

Altitude, 

ft 

PLA, 

deg 

N1 

N2 

PT4 

PT6 

FTIT 

10K 

0.6 


Esa 

6.50 

12.55 

5.78 

30K 

.9 

■ 

Ba 

4.48 

13.08 

5.49 

10K 

.9 

4.30 

Da 

5.22 

14.98 

5.68 


TABLE III. - AVERAGE RESIDUAL ABSOLUTE VALUE 
(PERCENT OF NOMINAL) IN RESPONSE TO PLA 
PULSE INPUT, NO SENSOR FAILURES 


Operating 

point 

Estimation error, percent of nominal 

Altitude, 

ft 

PLA, 

deg 

N1 

N2 

PT4 

PT6 

FTIT 

1 . 

0.6 

0.77 

0.24 

1.67 

2.33 

1.44 

1 

.9 

.63 

.28 

.92 

2.94 

1.64 


.9 



.60 

.42 

.78 

2.98 

1.39 











































TABLE IV. - MAXIMUM HYPOTHESIS VALUE IN RESPONSE TO PLA 
PULSE INPUT, NO SENSOR FAILURES 


Operating point 


Maximum hypothesis value 


Altitude, 

ft 

PLA, 

deg 

N1 

N2 

PT2 

PT6 

FTIT 


0.6 

0.8748 

0.3420 

0.2862 

0.5976 



.9 

.2413 

.1456 

.0755 

.3050 

.0420 


.9 

1.0250 

.2361 

.1616 

1.3400 



TABLE V. - AVERAGE HYPOTHESIS ABSOLUTE VALUE IN RESPONSE 


TO PLA PULSE INPUT, NO SENSOR FAILURES 


Operating 

point 

Average hypothesis value 

Altitude, 

PLA, 

Nl 

N2 

PT2 

PT6 

FTIT 

ft 

deg 






mmm 

0.6 


0.0566 

0.0441 

0.0587 

0.0100 


.9 


.0374 


.0445 

.0074 


.9 

mm 

.0467 

.0384 

.1240 

.0103 


TABLE VI. - MINIMUM DETECTABLE BIAS FAILURE 
(PERCENT OF NOMINAL) 


Operating point 

Minimum bias failure 

Altitude, 

Mach 

PLA, 

Nl 

N2 

PT4 

PT6 

FTIT 

ft 

number 

deg 






10K 

0.6 

50 

3.47 

2.60 

6.39 

12.02 

12.00 


.6 

83 

3.41 

2.67 

3.85 

7.74 

8.75 

3 OK 

.9 

50 

3.43 

3.10 

10.92 

18.10 

12.36 

30K 

.9 

83 

3.25 

2.73 

6.99 

13.24 

9.41 

10K 

.9 

50 

3.54 

2.60 

6.17 

9.74 

12.17 

10K 

.9 

83 

2.91 

2.66 

2.86 

6.40 

8.72 


TABLE VII. - MINIMUM DETECTABLE DRIFT FAILURE 


(PERCENT OF NOMINAL/SEC) 


Operating point 


Minimum drift 

failure 


Altitude, 

ft 

Mach 

number 

PLA, 

deg 

Nl 

N2 

PT4 

PT6 

FTIT 


0.6 

50 

wm 

0.87 

1.28 

3.20 


10K 

.6 

83 

IS9 

.95 

.38 

1.55 

4.08 

3 OK 

.9 

50 

■Erl 

.89 


3.95 

5.77 


.9 

83 

1.50 

.97 


2.65 

4.39 

10K 

.9 

50 

1.18 

.87 

1.14 

2.13 

5.68 

10K 

.9 

83 

1.21 

.95 

.52 

1.28 

4.07 
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Figure 1. - ADIA/F100 testbed system. 
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Figure 2. - ADIA timing - 8 MHz MSC 8186. 
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Figure 3. - Idle to intermediate power pulse transient used 
to generate transient results. 
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Figure 6.- Fan speed hypothesis statistic and detection 
threshold for 10K/.6 operating condition. 



Figure 7. - Sensed estimated and actual fan speed for a drift 
failure (failure time = 1 sec, detect time = 6.5 sec) oper- 
ating point is 10K/. 9/83. Drift rate= 125 rpm/sec 
(1. 21%/sec of nominal). 
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Figure 8. - Hypothesis statistic and threshold for fan speed 
drift failure of 125 rpm/sec at 10K/.9/83 operating point. 
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